VU#924114: dr_flac contains an integer overflow vulnerability that allows for DoS when provided a crafted file

Overview

dr_flac, an open-source FLAC audio decoder, part of the dr_libs audio decoder toolset, contains an integer overflow vulnerability allowing for denial of service (DoS) when provided a specific crafted file. An attacker can exploit this vulnerability through providing a tool that uses dr_flac a specially crafted file, and can cause the tool to crash. The vulnerability, tracked as CVE-2025-14369, has been patched in commit b2197b2 of dr_flac. In an enterprise situation, audio tools that use dr_flac may be susceptible to crashes or other abnormal behavior if they process attacker-controlled files.

Description

dr_libs is an open-source audio decoding tool. It is made of three separate tools, dr_flac, dr_mp3, and dr_wav, which can decode FLAC, MP3, and WAV files respectively.

An integer overflow vulnerability has been discovered, tracked as CVE-2025-14369 within dr_libs. An attacker who can supply crafted input FLAC files to the tool may trigger allocation of a large amount of memory, leading to a crash or unintended function of the tool.

During function, a single block of memory could be allocated to totalPCMFrameCount from the FLAC metadata without validation before the calculation of the bugger size. This could result in a specifically crafted file being allocated an arbitrary amount of memory space.

Impact

An attacker able to send input data in the form of FLAC files to the tool or other input stream that uses dr_flac could cause a crash or DoS attack.

Solution

Commit b2197b2, released on GitHub, fixes the issue. Users should update to the latest version ASAP. All versions prior to commit b2197b2 are affected.

Acknowledgements

Thanks to the reporter who wishes to remain Maor Caplan.This document was written by Christopher Cullen.